Election Hack: Stealing Votes the Cyber Way

How a student council candidate rigged his own election by stealing fellow students’ identities.

Election HackStealing Votes the Cyber Way

08/05/13

A 22-year-old candidate for student council president at California State University San Marcos hoped to guarantee victory by rigging the election through cyber fraud, but he ended up winning a year in prison instead.

Matthew Weaver used small electronic devices called keyloggers to steal the passwords and identities of nearly 750 fellow students. Then he cast votes for himself—and some of his friends on the ballot—using the stolen names. He was caught during the final hour of the election in March 2012, when network administrators noticed unusual voting activity associated with a single computer on campus. A Cal State police officer sent to investigate found Weaver working at that machine. He had cast more than 600 votes for himself using the stolen identities.

“Some people wanted to paint this as a college prank gone bad, but he took the identities of almost 750 people, and that’s a serious thing,” said Special Agent Charles Chabalko, who worked the investigation out of our San Diego Division after being contacted by Cal State authorities. “He had access to these students’ e-mails, financial information, and their social networks. He had access to everything.”

Weaver installed keyloggers—inexpensive devices easily purchased on the Internet—on 19 different campus computers. Those who used the machines were unaware that Weaver could later retrieve every keystroke they made, enabling him to obtain their usernames and passwords and then gain access to all their information.

When cyber investigator Chabalko and his partner, Special Agent Nick Arico, analyzed Weaver’s laptop after his arrest, they found a spreadsheet that included the names of all the people whose identities he had stolen. “He kept a detailed accounting,” Chabalko said.

And that’s not all investigators found. Weaver had made online searches that included topics such as “jail time for keylogger” and “how to rig an election.”

“He knew what he did was wrong,” Chabalko said. “And even after he was caught, he didn’t want to own up to what he did. He tried to cover up his actions and blame his crime on other students.”

The evidence against Weaver was overwhelming, however, and he pled guilty in March 2013 to identity theft, wire fraud, and unauthorized access of a computer. At his sentencing last month, the federal judge who sent Weaver to prison noted that Weaver trying to frame others for his crime is “the phenomenal misjudgment I just can’t get around. That’s what bothers me more than the original rigging of the election.”

The investigators agreed, noting that while it was wrong for Weaver to try and steal the election, “what we were really concerned about was the privacy of those students whose identities he stole,” Chabalko said. Prosecutors from the U.S. Attorney’s Office felt the same way, writing in their sentencing memorandum, “Weaver determinedly and repeatedly spied on his classmates, stole their passwords, read their secrets, and usurped their votes—and he did it with his eyes wide open.”

Weaver has a restitution hearing set for August 12, at which time the judge will hear evidence regarding the losses incurred by his victims. While the court has yet to determine those losses, Weaver and his friends on the ballot would have collected $36,000 in stipends and controlled a student budget of $300,000 if his vote-rigging plan had succeeded.